A web application is a computer software application that is hosted in a web browser-controlled environment or coded in a web browser-supported language (such as JavaScript, combined with a browser-rendered markup language like Hyper Text Markup Language (HTML)) and reliant on a common web browser to render the application executable.
The Hypertext Transfer Protocol (HTTP) is a networking protocol that functions as a request-response protocol in the client-server computing model. In HTTP, a web browser, for example, acts as a client (referred to as an HTTP client running on a client device), while a web application running on a computer hosting a web site functions as a server (referred to as a web application server running on a server). The HTTP client submits an HTTP request message to the web application server. The web application server, which stores content, or provides resources, such as HTML files, or performs other functions on behalf of the HTTP client, returns a response message to the HTTP client. A response contains completion status information about the request and may contain any content requested by the HTTP client in its message body. HTTP Resources are identified and located on the network by Uniform Resource Identifiers (URIs)—or, more specifically, Uniform Resource Locators (URLs)—using the HTTP or HTTPS URI schemes. The original version of HTTP (HTTP/1.0) was revised in HTTP/1.1 (RFC 2616).
As used herein, a network element (e.g., a router, switch, bridge) is a piece of networking equipment, including hardware and software, which communicatively interconnects other equipment on the network (e.g., other network elements, end stations). Some network elements are “multiple services network elements” that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video). Client end stations are client devices (e.g., server hardware, workstations, laptops, netbooks, palm tops, mobile phones, smartphones, multimedia phones, Voice Over Internet Protocol (VOIP) phones, user equipment, terminals, portable media players, GPS units, gaming systems, set-top boxes) running an HTTP client (e.g., a web browser) access content/services provided over the Internet and/or content/services provided on virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet. The content and/or services are typically provided by one or more end stations (e.g., server end stations comprising server hardware) running a web application server and belonging to a service or content provider or end stations participating in a peer to peer service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g., username/password accessed webpages providing email services), and/or corporate networks over VPNs. Typically, client end stations are coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to edge network elements, which are coupled (e.g., through one or more core network elements) to other edge network elements, which are coupled to other end stations (e.g., server end stations).
Great effort has been made to protect servers and databases from outside security attacks and penetration. These efforts typically focus on watching traffic into and out of the server or database and in keeping the software and data of the server or database free from malware. These efforts have been successful enough that new methods of attack have been created that focus instead on user or client devices. A particularly difficult threat is one that appears to come from an authorized user. In some cases, the user's credentials have been surreptitiously acquired. In other cases, the user's client device and credentials have been appropriated. This can be done with or without the user's knowledge. One class of attacks uses an authorized user's client web browser and credentials in order to gain access to a web application server, and possibly a database through the web application server. This type of attack has been referred to as a man-in-the-browser attack.
From the perspective of the web application server, a man-in-the-browser (MitB) attack is particularly difficult to defend against because the browser is that of a legitimate user, with legitimate credentials, and possibly even legitimate hardware. While there are efforts to fight against such attacks at the client device, these efforts rely on the user of the client device, and may therefore be inconsistent or postponed. The user may not have enough incentive or resources to apply to this effort. In addition, there are typically many users but only one web application server so that it is more costly to provide protection at every user site.
In some attacks, including some of those referred to as man-in-the-browser attacks, malware is installed onto a client device that alters the behavior of a web interface. The web interface may be a web browser such as Internet Explorer™, Firefox™, Chrome™, or Safari™, however similar techniques may also be applied to other types of web interfaces including specific or custom applications that provide a portal to network resources. For a successful man-in-the-browser attack, the user's client device appears to the user to be operating properly. Many of the malware operations are intentionally concealed from the user. Typically, the malware alters the behavior of the web interface in order to obtain additional information from either the client device or a web application server with which the HTTP client communicates. In other cases, the malware will seek to install additional malware on the client device or the web application server.
In the present description, “malware” will be used to refer to any type of programming code that runs on an electronic device (e.g., a client device, a server, an appliance) and that seeks to use that hardware for some purpose other than what the user or operator of the hardware intends. Malware may be in the form of application software, Java code and other scripts, applets, servlets, or macros.
In the typical man-in-the-browser attack, installation code is launched and installs a malware kit. The malware kit adds new functionality to a web browser. The typical functions are to collect personal information or login credentials from the HTTP client or to use the HTTP client's credentials to collect information from a web application server after the HTTP client logs on to the web application server. The malware then sends the collected information to a third party for any of a variety of different undesired or nefarious uses. There are many other types of attacks, such as using the client device as an anonymous web client, using the client device to participate in a denial of service attack, using the client device to distribute worms or Trojan horses, etc. More kinds of attacks and uses for malware will doubtless be created over time.